Hi Andreas,
If the warning below is not an issue, then I would like to collect an LSASS
trace from the server returning the error, along with a concurrent network
capture from the same server. The LSASS trace can be quite large, but is highly
compressible, so please add to a .zip archive before uploading (file transfer
workspace credentials are below). Please log into the workspace and find
PartnerTTDRecorder_x86_x64.zip available for download. The x64 tool can be
staged onto the Windows server in any location (instructions below assume
C:\TTD).
To collect the needed traces:
1. From an elevated command prompt, execute: tasklist /FI "IMAGENAME eq
lsass.exe"
2. Note the PID of the lsass process from the output of the above
command.
3. Execute: C:\TTD\TTTracer.exe -attach PID, where PID is the number
from above.
4. Wait for a little window to pop up in top left corner of your
screen, titled "lsass01.run"
5. start a network trace on the Server side
6. Repro the attempted operation
7. Stop the network trace and save it
8. CAREFULLY: uncheck the checkbox next to "Tracing" in the small
"lsass01.run" window. Do not close or exit the small window or you will need to
reboot.
9. The TTTracer.exe process will generate a trace file, then print out
the name and location of the file.
Compress the *.run file into a .zip archive before uploading with the matching
network trace.
Log in as: 2203240040008827_andr...@dtmxfer.onmicrosoft.com
1-Time: 1zUrbA5^
Workspace link:
https://support.microsoft.com/files?workspace=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ3c2lkIjoiNTRhNWIzZmUtY2IwMS00OTIyLWE2MWEtOWJmNWJmMzgwZTJhIiwic3IiOiIyMjAzMjQwMDQwMDA4ODI3IiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJzdiI6InYxIiwicnMiOiJFeHRlcm5hbCIsInd0aWQiOiJlZDNmM2IyMC1jMDcyLTQ3ZDYtOWJlOS0yOTVhYThmODExNzAiLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJleHAiOjE2NTYyNjk0MTcsIm5iZiI6MTY0ODQ5MzQxN30.c0XHYuoanP8OZZnuFuCHEdL8WdbEk3oau8TtJSB1Z_c2cQy1A181bs8V2BV-s_a3RX5RVabyhHVofo7FQCT0C7mjqpbWTFQTtj4L-6yhtg9tx8W-iW6WMuX9nJ3plwGz2-ldJx8hLch4G3veiakDRlbtsQm6dfrgzxPzAov72eTdMmq_Fjru8LgBhJEi69Ipxb6toVHean1QZ0VyTkQliNXaPiwuOFgnULRN-gdoLYL38yoiliSvXnfznMu6JjtEGO9ft33PdqXPdmPzAvxbwMKy4WA_3hKDTuzIwcjRJ24VjTfoQe8E6Qkt2s1d3Gl9qXDJABnY11NMUdryAtp2nQ&wid=54a5b3fe-cb01-4922-a61a-9bf5bf380e2a
Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open
Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00)
Pacific Time (US and Canada)
Local country phone number found here:
http://support.microsoft.com/globalenglish | Extension 1138300
We value your feedback. My manager is Stacy Gray (stacygr), +1 (469) 775-4055
-----Original Message-----
From: Jeff McCashland (He/him)
Sent: Friday, March 25, 2022 11:38 AM
To: 'Andreas Schneider' <a...@samba.org>
Cc: 'cifs-protocol@lists.samba.org' <cifs-protocol@lists.samba.org>; 'Jeff
McCashland' <je...@microsoftsupport.com>
Subject: RE: [EXTERNAL] S4U2Self and RODC - TrackingID#2203240040008827
Hi Andreas,
I'm analyzing the traces to see why you're getting the error.
In the meantime, did you notice the expert warning in Wireshark on your request
in frame 571? It says that the Ticket in the request is missing the KDC
checksum in the Authorization data.
Is this expected, or might it be causing the error?
Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open
Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00)
Pacific Time (US and Canada) Local country phone number found here:
http://support.microsoft.com/globalenglish | Extension 1138300 We value your
feedback. My manager is Stacy Gray (stacygr), +1 (469) 775-4055
-----Original Message-----
From: Jeff McCashland (He/him)
Sent: Thursday, March 24, 2022 3:41 PM
To: Andreas Schneider <a...@samba.org>
Cc: cifs-protocol@lists.samba.org; Jeff McCashland <je...@microsoftsupport.com>
Subject: RE: [EXTERNAL] S4U2Self and RODC - TrackingID#2203240040008827
[Tom to BCC]
Hi Andreas,
I will research your question and let you know what I find.
Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open
Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00)
Pacific Time (US and Canada) Local country phone number found here:
http://support.microsoft.com/globalenglish | Extension 1138300 We value your
feedback. My manager is Stacy Gray (stacygr), +1 (469) 775-4055
-----Original Message-----
From: Tom Jebo <tomj...@microsoft.com>
Sent: Thursday, March 24, 2022 1:24 PM
To: Andreas Schneider <a...@samba.org>
Cc: cifs-protocol@lists.samba.org; Tom Jebo <tomj...@microsoftsupport.com>
Subject: RE: [EXTERNAL] S4U2Self and RODC - TrackingID#2203240040008827
[dochelp to bcc]
Hi Andreas,
Thank you for your question about S4U2Self and KDC_ERR_C_PRINCIPAL_UNKNOWN. One
of the Open Specifications support team members will follow up shortly to begin
assisting you. In the meantime, I've created the case 2203240040008827 to track
this issue. Please leave this number in the subject line when communicating
with us about the issue.
Best regards,
Tom Jebo
Microsoft Open Specifications Support
-----Original Message-----
From: Andreas Schneider <a...@samba.org>
Sent: Thursday, March 24, 2022 3:09 AM
To: Interoperability Documentation Help <doch...@microsoft.com>
Cc: cifs-protocol@lists.samba.org
Subject: [EXTERNAL] S4U2Self and RODC
Hello Dochelp Team,
we have a test which returns KDC_ERR_C_PRINCIPAL_UNKNOWN when attempting to use
S4U2Self with a TGT from an RODC. We wonder why it returns
KDC_ERR_C_PRINCIPAL_UNKNOWN in this case.
The test can be run with this command:
SMB_CONF_PATH=/etc/samba/smb.conf REALM=EARTH.MILKYWAY.SITE DOMAIN=EARTH
SERVER=win-dc01.earth.milkyway.site DC_SERVER=win-dc01.earth.milkyway.site
SERVICE_USERNAME=win-dc01 ADMIN_USERNAME=Administrator
ADMIN_PASSWORD=Secret007! FOR_USER=Administrator STRICT_CHECKING=0
FAST_SUPPORT=0 CLAIMS_SUPPORT=0 COMPOUND_ID_SUPPORT=0 TKT_SIG_SUPPORT=1
EXPECT_PAC=0 EXPECT_EXTRA_PAC_BUFFERS=0 CHECK_CNAME=0 CHECK_PADATA=0
PYTHONPATH=/home/asn/workspace/projects/samba/asn-asserted-identity/bin/python
python3 -m samba.subunit.run
samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_revealed
win-dc01 is a RWDC (Windows Server 2022). The test creates an RODC account on
the DC.
Attached is a capture of the above test which shows that the S4U2Self request
fails in frame 573 with KDC_ERR_C_PRINCIPAL_UNKNOWN. Could you please clarify
why it fails with this error?
Thank you very much for your help. I'm looking forward to hear from you.
Best regards
Andreas
--
Andreas Schneider a...@samba.org
Samba Team
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.samba.org%2F&data=04%7C01%7Cjeffm%40microsoft.com%7Cddd95905704d43b14b8d08da0dd43362%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637837502300894421%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=7HR%2BCiVlFIAzMurJ9ngLMi2f8KgSfZe8YyB58emud0A%3D&reserved=0
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
